Bloody
'''Bloody '''is a virus for DOS. The virus was released to the wild in December 1990, and infection reports were received from Europe, Taiwan, and the United States. This virus is a memory resident infector of floppy diskette boot sectors as well as the hard disk master boot sector. Payload When a system is booted from a floppy or hard disk infected with the virus, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. The total system memory and available free memory of the operating system will decrease by 2,048 bytes. The interrupt 12 return will be moved. The system boot will also take much longer than expected. The system's hard disk's master boot sector will become infected immediately if it was not the source of the system boot. At the time of system boot, the virus also maintains a counter of how many times the infected diskette or hard drive has been booted. Once 128 boots have occurred, the virus will display the following message during the boot: Bloody! Jun. 4, 1989 June 4, 1989 is the date of the Tinanmen Square Protests in China between Chinese students and the Chinese Army in which many students were killed. This message will later be displayed on every sixth boot once the 128 boot limit has been reached. The text message is encrypted within the viral code, so it is not visible in the boot sector. Once Bloody is memory resident, the virus will infect any diskette or hard disk when a file or program is accessed. Listing a disk directory will not be enough to cause the virus to infect the disk. Infected diskette boot sectors will be missing all of the normal DOS error messages which are normally found in the boot sector. The original boot sector will have been moved to sector 11 on 360K diskettes, a part of the root directory. If there were previously root directory entries in that sector, those files will be lost. On the hard disk, the original master boot sector will have been moved to side 0, cylinder 0, sector 6. For floppies of other sizes then 360K, they may become unusable or corrupted as the virus does not take into account the existence of these disk types. Variant *Bloody-B: This variant is functionally equivalent to the original virus. It has been altered to avoid detection by most anti-viral utilities. Removal To remove the Bloody virus from the hard disk's master boot sector, the original master boot sector should be located and then copied back to its original position. The other option is to backup the files on the hard disk and low level format the drive. In the case of DOS 5.0, the master boot sector can be rebuilt by using the DOS FDISK program with the undocumented /MBR option. For diskettes, Bloody can be removed by powering the system off and then booting from a known clean, write-protected original DOS diskette. The DOS SYS command should then be executed on each of the infected diskettes. Category:DOS Category:DOS virus Category:Boot sector virus Category:Virus Category:Assembly